Building Measurement & Signa 
Intelligence (MASINT) on a Hackers 

Budget: 
Tracking & Fingerprinting RF Devices 
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Who am I? Brad - Just a Guy that Likes to Play with 

Technology! 







Disclaimer 



Everything I say is my personal 
opinion and not those of my 
employer! 

Education and Entertainment 
purposes only! 



This is a work in progress! 




Some equipment or functionality 
may be considered "Dual-use 
munitions" and controlled under 
ITAR 121.1. Be sure to follow 
appropriate laws! 



Never go full tard! 
Above all do no harm 



Goodbye SOPA.... Goodbye PIPA.... Thank you for playing! 




Agenda 

WhatisMASINT/(TSCM) 

How is it used & why should you care 

MASINT on a Hacker's budget 

■ Equipment 

■ Testing / Process / Methodology 

■ Creating / Analyzing Signatures 

Making things do what they were not intended! 
What's next 



Q&A 




Let's get our terms right 

■WhatisMASINT? 

■ Measurement & Signature Intelligence 

■ Collection of unintended emissions or byproducts of devices 

■ All devices generate unique undesirable trans, artifacts 

■ Discrete intelligence gathering process 

■ DoD - Officially adopted as a Intelligence discipline in the 80s 

■ Often aggregated with other intelligence sources 

■ (ELINX SIGINT, HUMINT, ETC.) 

■ MASINT- (Tactical and Strategic Sensors) 

■ Electro/ Electronic 

■ Nuclear/ Explosives 

■ Geospatial / Materials 

■ Radio Frequency / Electromagnetic fields* 



Who uses it? - What does it do? 

■ DoD and Intel Community 

■ Identify / tags "enemy" equipment 

■ For RF MASINT - Identifies types of comm. 

■ Frequency, Origin and strength - (SOI) 

■ Signal Intelligence Support System - (SIGINT) 
■Gather Actionable Intelligence 
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RF MASINT - What does it do? Cont... 



Lots of passive Intelligence to be had! 

Unique hardware / radio frequency signature 

Characteristics of the signal 

Track user movements and habits via RDF 

Other useful intelligence 

Hardware capabilities / Transmission range / 
Frequencies 

Identify patterns & Weakness 

Naturally occurring / Very difficult to spoof* 




MASINT - Why Should you Care? 

1 Make some Info. Sec. friendly tools 

1 Add MASINT components to you pen testing capabilities 

1 Uniquely identify equipment by its RF signature 

■ Track people by the electronic devices they carry 

■ Develop Technical Surveillance & Counter Measures Capabilities 
1 Identify spurious transmissions /jamming 

■ Battlefield RF MASINT capabilities are being adapted for: 

■ Law Enforcement - tracking transmissions / illegal devices, etc. 

■ Commercial use (Industrial & Corporate Espionage) - Law offices 

■ Information on competitor's products 

■ Cost and complexity for MASINT technology is decreasing 

1 Legalities of LE using MASINT for intel gather remains unchallenged 



RFMASINT- Lets Build It! 




Let's build it!!! - Equipment 

■ Spectrum Analyzers - Lots of Choices but 

■ Generally very expensive! ($10K-$60K) 

Typically not designed to provide MASINT or TSCM functionality 

■ Limited frequency range 

■ Difficult to get data out of in raw form 
Restrictive antenna capabilities 

■ Some hacker friendly models exist (SpecTran, Anritsu, TekTronix, etc.) 

■ Device of choice - Signal Hound (USB-SA44B) 

Software defined / USB connected / easily interfaced 

Decoding Capabilities (FM,WFM, NFM, CW, SSB, Video, FSK, ASK, etc.) 

API available / scripting friendly 

Low cost $300 - $400 used 

1Hz to 4.4GHz /fast sweep times* 

Good Sensitivity / built-in Preamp / Attenuators* 

Calibration capabilities 



Let's build it!!! -Spectral collection 

■ Premise - low power RF equipment can be uniquely identified 

■ Signatures structure 

■ Signature taken a set frequency (446MHz, 220MHz, 146MHz, 900MHz) 

■ RF Signature recorded over (3) sees with a Span of lOKhz 

1 Unique Signature created using Amplitude (Max & Min) per/Hz 

■ Aprox. Distance 10ft - no faraday enclosure used 



Motorola XTS3000 model3 



Motorola XTS3000 model 3 
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Let's build it!!! - SOI Signature Collection 
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Finding unique RF characteristics 

All electronic devices will generate unique "Artifacts" in near-field 

Filtering Ambient noise with lOdb attenuation 

Measuring mW at the SRD antennas •Attenuation to reduce anf 

Collecting Amplitude 

Max/Mins 

RFspan lOKhz 

3+ sec measurement 

340 Points of Interest 

J -40 

O.e-14 sensitivity 
.CSV file output 
User defined Max 
Amplitude 




START A A 5.99 500 MHz 



CENTER 445.000 MHz 
SW\N 10.000 KHz 



STOP 44*00500 MHz 

SWP 390.0 msec 



Let's build it!!! -SOI Signature Creation 

■ Signature Creation Scripts - Python 

■ Signature Generator & Signature Compare 



.-, >. « root@tat: /home/bbowers/programming 

■ | root@bt: /home/bbowers/programming 121x38 

root;cbT:-# cd /home/bbowers/programming/ 
root@bt:/home/bbowers/prograMiing# ./SignatureGenerator.py 

################################################################## 

#MASINT Unique Signal Generator 

^written by:Brad Bowers (warezjoe) 

frUsage: ./SignatureGenerator.py <inputfile> <MaxAmplitude> <outputfile> 

#MaxAmplitude should be represented as a float of dBi. eg. 5.BE-9 

#A maximum of 50 data points will be created for the signature 



/home/bbowers/prog ramming* 



(.■446.001276", "6.093616-008") 
("446.001305", "1.33385e-008" ) 
("446.001335", "3.68395e-009" ) 
('446.001365", "2.23598e-008") 
("446.001394", "1.15437e-008" ) 
('446.001424", "2.76819e-008" ) 
( '446.001454" , "3.90126e-008" ) 
('446.001483", "1.218856-008") 
('446.001513", "1.73988e-008") 
('446.001543", "4.555956-008") 
('446. 001573" , "2.97313e-008" ) 
('446. 001602" , "5.1873e-008" ) 
('446. 001632" , "6.493046-008") 
(■446.001662", "9.00618e-008" ) 
C446. 001691" , "5.320566-008") 
C446. 001721" , "3.23399e-008" ) 
C446.001751", "6.709596-008") 
C446.00178", "2.29753e-008" ) 
('446.00181', '7.02177e-009' ) 
("446.00184" , "1.62638e-008") 
("446.001869", "2.535736-008") 
("446.001899", "2.90239e-008" ) 
["446.001929", "2.52822e-008" ) 
("446.001958", " 6 . 04547e-009 " ) 
("446.00273", "3.62869e-009"l 
("446.002789", " 3 . 76091e-009 " ) 
("446.002819", "3.93631e-009" ) 
Signature file written to signature.log 
root@bt : /home/bbowers/p rog ramming# | 



ffi 



root@bt:-# cd /home/bbowers/programming/ 

root@bt : /home/bbowers/programming* . /SignatureGenerator. py 

#MASINT Unique Signal Generator 

^written by:Brad Bowers (warezjoe) 

#Usage: . /SignatureGenerator.py <inputfile> <MaxAmplitude> <outpLtfile> 

I#MaxAmplitLide should be represented as a float of dBm. eg. 5.0E-9 
#A maximum of 50 data points will be created for the signature 
################################################################## 
rGot@bt:/home/bbowers/programming# ./SignatureGenerator.py MntorolaXTS3000\ 446mhz.csu 3.5E- 



■1 



Let's build it ! ! ! - SOI Signature Compare 

Signature Comparing 

No two signatures will come back 100% same 

Script provides a configurable tolerance 

Tolerance does not sway results significantly because of the ranges 

Negative hits increase as you move away from center 



,". v x root@bt: /horn e/b bowers/prog ramming 

- | re 

root@bt:/home/bbowers/prog ramming* ./SignalCompare.py 

########################################################################################## 
#MASINT - Signal Dump File Compare 
#written by: Brad Bowers (warezjoe) 

#SignalCompare is a tools to compare discrete signal dumps created from a Spec Analyzer 
#or other signal receiving device using structured csv output. 

#Usage: ./SignalCompare.py <Signal filel> -cSignal file2> <tolerance in %> <output_file> 
#Signature files should have same number of unique POI for most accurate results 
#Signature files should have been created with same Maximum Amplitude 
^Example command ./SignalCompare.py Signall Signal2 IS results.log 

########################################################################################## 
root@bt:/home/bbowers/prog ramming* ./SignalCompare.py HotorolaXTS300Q_446mhz.csv AstroSpectraUHF446mhz.csv 5 results. cs.| 



Let's build it!!! - Signature Compare Contin... 
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ture file 


written to res 


ults.cs\ 


t 


Number of positive 


2 matches 28 


1 - 




Number of negative matches 58 ^^^^ 
root@bt : /home/bbowers/prog ramming* 1 



bt: /home/bbowers/prog ramming 15 
, 2.2533525000000001e-10, 2 . 0387475e- 10 , ' Pos") 
, 5.91300149999999966-10, 5.34985849999999956-10, ' Pos" 
, 1.1152889999999999e-09, 1.00907099999999986-09, " Pos " 
, 1.2704376-10, 1.1494429999999999e-10, ' Pos') 
, 1.4579039999999999e-10, 1 . 3190560000000001e- 10 , " Pos" 
, 3.370416e-10, 3.04942399999999976-10, " Pos " ) 
, 7.2073784999999997e-10, 6 . 5209614999999996e- 10 , ' Pos" 

8.9936700000000004e-10, 8.13713e-10, " Pos") 
, 6.82686899999999996-10, 6.17669100000000026-10, " Pos " 
, 4.2326136-10, 3.82950699999999976-10, " Pos") 

4.07389500000000026-10, 3.68590500000000026-10, " Pos") 
, 2.79752549999999986-10, 2 . 5310945e- 10 , " Pos") 
, 6.6469934999999999e-10, 6 . 0139464999999996e- 10 , " Pos" 
, 6.8281395000000006e-10, 6 . 1778404999999996e- 10 , " Pos " 



7 . 2809099999999992e- 10 , 6 . 5874899999999991e- 10 , 

7 . 4311650000000004e- 10 , 6 . 7234349999999995e- 10 , 



4.73774700900000061; 



4.2865329999999998e 



7 . 25364150000000076- 11 , 6 . 5628185000000003e- 11 , 

4. 1609085000000001e-ll, 3.7646314999999999e-ll, 

1 . 0034461499999999e- 10 , 9 . 07879849999999976- 11 , 

, 1.098363e-10, 9.9375699999999996e-ll, " Pos " ) 

, 1.5040305000000001e-10, 1.3607894999999999e-10, 

, 1.2188505e-10, 1.10276949999999996-10, ' Pos") 

, 2.94120750000000016-11, 2.66109249999999976-11, 

, 5.9116575000000005e-ll, 5 . 3486424999999999e- 11 , 

, 5.2034226-11, 4.7078579999999995e-ll, ' Pos') 

, 5.91329556-11, 5. 3501244999999998e- 11 , ' Pos") 

, 8.15526600000000026-13, 7 . 3785739999999996e- 13 , 

, 7.2714179999999996e-ll, 6.57890200000000036-11, 

, 6.333201e-ll, 5.7300389999999991e-ll, ' Pos " ) 

, 6.5600324999999999e-ll, 5 . 9352674999999994e- 11 , 

9 . 5662350000000002e- 12 , 8 . 6551649999999997e- 12 , 



1 . 8235664999999998e- 1 1 , 
7 . 1860530000000007e- 1 1 , 
4 . 6673024999999998e- 10 , 
9 . 84601799999999846-10 , 



1 . 6498934999999997e- 11 , 
6.50166700000000026-11, 
4 . 22279749999999996-10 , 
8 . 90830199999999876-10 , 



1.207941e-09, 1.0928989999999999e-09, 



Caveats 



Lots of things can throw off your Signals of Interest (SOI) 

Changing antennas, RF noise, Physical structures, atmospheric, etc. 
1 Spread spectrum signals can be missed in a simple full spectrum sweep 

Lower output devices require a closer (near field) range 

1 Some devices have too low of output in standby mode to detect cleanly 

Antennas are extremely important 

1 RDF - requires both attenuators and directional antennas (Yagi) 
! 96" Discone and a collection of whip antenna worked well (YMMV) 

Sweep speeds become really important when looking at TSCM 

1 20secs is very fast for low cost units. OSCAR devices are probably better 



To Surmise 



Lots of interesting intelligence can be derived from the 
unintended emission or artifacts. 

All electronics put off some form of near field RF artifacts 

RF MASINT / TSCM capabilities can be developed using 
relatively low cost SDR Spec. Analyzers and a bit of code 

MASINT technology is slowly being incorporated in the 
commercial Sector. 

RF MASINT / TSCM capabilities may add a new "value add" to 
pen testing engagements. 



What's Next? Where's this going....? 
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Down Converters 



Auto Detection 



RF MA.S)NT 
What's Next 
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Signal Database 



SIC INT 



De n oc u I ating signals 



Signal tracing 



Ambient noise trackino 



Threat Detection Algorithm fTDA) 

Full Suetlrum snap bluMs 

^^ ^ ^^^^^^ 

SUI co lection 
LiH bug deteition 

Vector Modulction (VSA} 

lolsran:e tuning 

Manufacturers 

802. 11 devices 

802.15.4 devices 
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Infrarec 
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THANK YOU!!! 



Contact information : Warezjoe 

Warezjoe@digita lintercept.com 

Special Thanks to Mike M. (Megalos) & David P. (Yeti) 



